| Título | RAGapp ragapp 0.1.5 and earlier; verified on commit f7f88892a92c110853dfa019f2c4a605a4a7b6f5 CWE-22 Improper Limitation of a Pathname to a Restricted Directo |
|---|
| Descripción | A vulnerability was found in RAGapp 0.1.5 and classified as medium severity. Affected is the knowledge file management component. The manipulation of the multipart upload filename argument leads to path traversal because the server writes uploaded content using a client-controlled path fragment.
Authentication required: deployment-dependent. The application code does not enforce authorization on the management file router; some deployments may rely on an external API gateway or reverse proxy for access control. User interaction required: no.
Technical Details
- Affected file/function: src/ragapp/backend/controllers/files.py, FileHandler.upload_file()
- Affected route: POST /api/management/files
- Vulnerable parameter: uploaded file filename
- Attack vector: Network
- Privileges required: None when the management API is exposed without an enforcing gateway; Low/Admin when protected by external access control
- Trigger condition: submit a multipart file upload with a filename containing traversal components such as ../outside_upload.txt and an allowed extension such as .txt, .pdf, or .csv
The vulnerable code calls:
with open(f"data/{file_name}", "wb") as f:
f.write(await file.read())
The extension validation uses os.path.splitext(file_name)[1], so a traversal filename such as ../outside_upload.txt still passes the default .txt allowlist. The resolved write target is outside the intended data/ directory. The remove_file() function uses os.remove(f"data/{file_name}") and has the same unsafe filesystem sink for deletion; practical HTTP exploitability of deletion may depend on path routing and encoded slash handling.
Impact
- Confidentiality: None
- Integrity: High
- Availability: Low
An attacker who can reach the management upload API can write attacker-controlled content with supported extensions outside the knowledge data directory in writable locations. This can pollute application state, overwrite writable files with supported extensions, and disrupt service behavior. In a RAG application, unauthorized knowledge-file writes can also lead to retrieval/index pollution if files are indexed after upload.
Proof of Concept
This was verified locally in a temporary directory without contacting any production service. The affected handler was imported with indexing stubbed out, then called with file_name set to ../outside_upload.txt. The resulting file was created outside data/.
Observed output:
workdir=/tmp/ragapp-filehandler-poc-cv718rvf
upload_outside_exists=True
upload_outside_content=agent-scan-poc-rerun
data_dir_entries=[]
delete_outside_exists_after=False
CVSS v3.1
Score: 6.5 (Medium)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
If the management API is exposed without authentication, the vector becomes:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Score: 7.1 (High)
Timeline
- Discovered: 2026-05-27
- Vendor notified: 2026-05-27
- Patch released: [unknown]
- Public disclosure: [unknown]
Countermeasure
Reject filenames containing path separators or traversal components, normalize uploads to server-controlled basenames, resolve the final path, and verify that the resolved path remains under the intended data directory. Apply the same validation to deletion and consider generating server-side storage names instead of trusting client-provided filenames. |
|---|
| Fuente | ⚠️ https://github.com/ragapp/ragapp/issues/293 |
|---|
| Usuario | Dem000000 (UID 98564) |
|---|
| Sumisión | 2026-05-27 14:23 (hace 1 mes) |
|---|
| Moderación | 2026-06-28 08:23 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 374517 [RAGapp hasta 0.1.5 Knowledge File files.py FileHandler.upload_file/FileHandler.remove_file recorrido de directorios] |
|---|
| Puntos | 20 |
|---|